ICS Firewall Deployment

We take it as a given that it’s essential to deploy firewalls inside ICS networks. However, it is less clear why and which properties should such firewalls have: should they be stateful? DPI? Signature-based? In this post I will try to shed some light on the topic.

Consider a typical ICS network, with a main control center that communicates with multiple remote sites. Each remote site contains several field devices, such as PLCs and IEDs. For the sake of simplicity, let’s say that the remote sites communicate only with the control center, using a trusted private VPN between the gateways.

It’s safe to say that without appropriate protection, the ICS network described would be open to numerous cyber-attacks. We can divide these attacks into several types, according to their source and destination:

Field-to-Field attacks: Attacks from one compromised remote site or field device to another remote site.

Center-to-Field attacks – Attacks that initiate traffic from the control center, aimed to harm/manipulate field devices.

Field-to-Center attacks – Attacks that initiate traffic from a remote site to the control center.

In-Field Attacks: Attacks from one field device to another field device, within the same remote site. This includes also attacks that occur within the same segregated area.

The detection of In-Field attacks, using anomaly detection, will be presented in a future post. In this post I will focus on preventing the first three attack types.

The key design elements in defending against these types of attacks are (i) segregation of the networks, (ii) identification of control center traffic, and (iii) validation of control center traffic.

The mitigating of Field-to-Field attacks starts by routing all remote site traffic to the control center, using an IPsec VPN.

In addition to the VPN, each site requires an industrial DPI firewall. With a DPI firewall the operator can set permission policies for blocking traffic from other sites and to allow users to reach to specific devices.

Using the industrial DPI firewall and VPN we can ensure that all traffic arrives from trusted IP addresses, and that each IP address receives the appropriate permissions for specific commands.

Mitigating Field-to-Center and Center-to-Field attacks is a bit more complicated. Preventing these attacks will ensure that the remote links are secure, e.g. they do not contain malware or unauthorized traffic.

Detection of malware traffic is usually performed using a firewall that is loaded with malware signatures. Since the signature database must be updated frequently, it would be most convenient to install a single instance of the firewall at the control center.

Another threat is spoofed traffic, e.g. a command that initiated at the control center with the SCADA server’s IP address, but was not actually sent from the SCADA server (but rather, for example, from a compromised server on the control center LAN).

How do we detect that such messages are spoofed? One common answer is using a stateful firewall. Stateful firewalls check the state of each connection and each protocol, and allow only packets of an open connection to pass. If we assume that the authorized devices already have connection between them, than the stateful firewall can block the spoofed, new, connections.

Deploying a stateful firewall in the control center increases the chances of identifying spoofed messages By detecting attempts to open another connection to the field device. In addition, the stateful firewall can also prevent opening multiple connections to a specific device, thus preventing several DoS attacks (such as Syn flooding). Another related property is allowing TCP connections to be opened only from one side of the firewall (e.g. SCADA server) to the other side (e.g. field devices).

Using a distributed DPI firewall together with a central stateful firewall (figure below), we can achieve a well-segregated, yet simple, ICS network. Firewalls which demand periodical updates (contains signature-based engines) should be installed at the center.

In-Field attacks, which occur within segregated areas, will be discussed in a future post.